Aug 13, 2022
Cannot Create Secrets Manager Secret with KMS key without DECRYPT permissions
Should be able to have a role with encrypt only permissions put a secret in Secrets Manager
Please tell me this is a bug.
I created a role with encrypt only permissions. I’m using that role to run this script which stores a value in Secrets Manager only. This role will not be the same role to retrieve the secret later so it should not need decrypt permissions.
Once again getting an ambiguous KMS error:
Access to KMS is not allowed
This error message is incorrect because I’ve checked and the role does have KMS permissions. In addition that role has permission to ENCRYPT a value with the key.
So I go over to CloudTrail and I find two related errors:
Secrets Manager via CloudFormation provides this unhelpful information:
The KMS error says:
Why would this role need DECRYPT permission to create a secret and encrypt it in KMS?
I do not WANT this role to have decrypt permissions only encrypt permissions.
Also, where is the ENCRYPT action in the logs? There’s nothing that can even be decrypted that this point because the value hasn’t even been encrypted.
I had this working before. Not sure if I changed something or something at AWS changed but I don’t see how the above template should ever trigger the decrypt action.
In any case, I added the ability for the user running the above to DECRYPT in the KMS key policy and the script works. This really should be fixed. It’s like not having the ability to only give read OR write access to a directory but being forced to give both permissions.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research© 2nd Sight Lab 2022
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
